Point to Point networking issue

Uberwilhelm · Post by **Uberwilhelm** » Thu Apr 10, 2008 6:18 pm

Hello all.

I have a point to point T1 (installed and managed by our ISP) connecting a remote office to our main one. I created a new DHCP scope for the office. In the remote office someone connects and pulls the correct DHCP info. Ip, subnet, dns ect.. they can get to the internet (shared with the main office), they are being Surfcontrolled, and they can ping any server in the main office. The problem is that nothing in the remote office can authenticate with the parent domain. I tried adding one of the computers to the domain and it asked me for credentials. I entered them but then it times out stating that the domain cannot be found. The parent office has a scope of 192.168.1.1 - 192.168.3.254 and the remote office has 192.168.4.1 - 192.169.4.254 They both share the same domain controllers. This is my first time working with this so I am stumped. Can anyone offer up some suggestions? Many thanks

ErikD · Post by **ErikD** » Fri Apr 11, 2008 6:30 am

What subnet masks are you using to get those scopes? Usually those would be multiple subnets, and thus should cover multiple different scopes.

Also, no servers in the branch office? All DHCP, DNS, etc is being handled from the HQ?

Post by **YeOldeStonecat** » Fri Apr 11, 2008 6:46 am

I'd be looking into DNS/WINS. Satellite offices getting the DCs for their DNS? Not the router or ISP DNS servers for their DNS, right?

Can you ping the DC by name and get replies?

Uberwilhelm · Post by **Uberwilhelm** » Fri Apr 11, 2008 9:34 am

The home subnet is 255.255.252.0 and the remote one is 255.255.255.0 there are no servers there at all. They pull all of their DHCP from the DCs here. They are pulling the correct DNS server IPs from here (internal not external). I can ping the servers by both name and IP. it is very confusing. Thanks for the help.

ErikD · Post by **ErikD** » Fri Apr 11, 2008 4:39 pm

Can you browse the network on the other side of the T1? For example can the branch office users get to files on the shared folders?

How does the PTP connect to the main site? Is there a firewall involved at all?

Uberwilhelm · Post by **Uberwilhelm** » Sat Apr 12, 2008 9:23 am

ErikD wrote:Can you browse the network on the other side of the T1? For example can the branch office users get to files on the shared folders?

How does the PTP connect to the main site? Is there a firewall involved at all?

Good morning.

No, the remote office cannot browse the home network. The PTP is connect via hosted routers by our ISP (AT&T) in preparation for our MPLS that will be going in at the end of the year when we open another office. There is no firewall between the two. This is very confusing. Thanks for the help.

ErikD · Post by **ErikD** » Sat Apr 12, 2008 11:25 am

When I hear about any equipment leased/rented from an ISP they are usually my first call. Without any access to the configuration of those devices there is no way to be certain that there is no ACL or other configuration that blocks the traffic you want. It seems basic routing is setup properly as you can ping to the servers.

What model of routers are these? Can you get the configurations to inspect?

Uberwilhelm · Post by **Uberwilhelm** » Sat Apr 12, 2008 11:46 am

ErikD wrote:When I hear about any equipment leased/rented from an ISP they are usually my first call. Without any access to the configuration of those devices there is no way to be certain that there is no ACL or other configuration that blocks the traffic you want. It seems basic routing is setup properly as you can ping to the servers.

What model of routers are these? Can you get the configurations to inspect?

They have Cisco 2600s (I believe) on each end. I already called them and they say that as long as traffic is flowing and I can ping the servers from there, the routers are configed correctly and it must be a windows issue. I will see if I can get the configs on them on Monday.

ErikD · Post by **ErikD** » Sat Apr 12, 2008 6:50 pm

The 2600 series is at End of Life with Cisco, but if they are supplied and supported by the ISP I guess it doesn't matter much.

Passing traffic means very little. If there is something configured wrong on the router it might allow icmp, but deny other types of traffic. To me it sounds like you are able to pass most of the generic types of traffic (http, icmp, etc.) but hit a wall when it comes to passing traffic for Windows file sharing. I would start my troubleshooting by making sure nothing in the configuration of the routers is blocking any traffic. If there is any ACL on the interface at all there is a default statement placed at the end by Cisco IOS to deny all traffic not explicitly matched in any of the prior statements. So if there is no statement explicitly allowing Windows traffic it will get cut.

Something else to consider at this level is make sure there is a route from the main office to the branch. The branch will be fine just sending out all traffic over the T1, but the HQ will require a specific static route for the branch office pointing to the router in the HQ.

Uberwilhelm · Post by **Uberwilhelm** » Mon Apr 14, 2008 1:22 pm

ErikD wrote:The 2600 series is at End of Life with Cisco, but if they are supplied and supported by the ISP I guess it doesn't matter much.

Passing traffic means very little. If there is something configured wrong on the router it might allow icmp, but deny other types of traffic. To me it sounds like you are able to pass most of the generic types of traffic (http, icmp, etc.) but hit a wall when it comes to passing traffic for Windows file sharing. I would start my troubleshooting by making sure nothing in the configuration of the routers is blocking any traffic. If there is any ACL on the interface at all there is a default statement placed at the end by Cisco IOS to deny all traffic not explicitly matched in any of the prior statements. So if there is no statement explicitly allowing Windows traffic it will get cut.

Something else to consider at this level is make sure there is a route from the main office to the branch. The branch will be fine just sending out all traffic over the T1, but the HQ will require a specific static route for the branch office pointing to the router in the HQ.

I just checked and they are Cisco 1800 routers. I contacted them to ask to speak with the person who configured them to see if anything is being blocked. There has to be a route in place otherwise I wouldn't be able to ping the servers by name from the remote office correct? Thanks a lot for the help. this is a most confusing issue.

ErikD · Post by **ErikD** » Tue Apr 15, 2008 6:36 pm

Yes, it would seem you have some sort of basic routing setup between the sites. I would say get the actual config of both routers on paper so you can check yourself. It is very possible that the config they put in blocks cross network traffic not destined for the internet (or port 80).

One more thought, you say they are surf controlled. Does the proxy work in the remote office, or are they just doing a direct connection to the internet?

Post by **YeOldeStonecat** » Wed Apr 16, 2008 6:52 am

I'd call the ISP and explain to them that you have a WAN...you need network browsing....and have them double check the ACLs on the tunnel.

Before doing do...confirm some more testing from the remote location....ping servers by IP and get replies..ping servers by name and get replies....what happens if you bring up whack whack servername....no shares seen?